diff --git a/NEWS b/NEWS index 961efbfbe..7aeb845a2 100644 --- a/NEWS +++ b/NEWS @@ -1,15 +1,23 @@ -Release Notes - Heimdal - Version Heimdal 1.6 +Release Notes - Heimdal - Version Heimdal 7.1 Security - - ... + - kx509 realm-chopping security bug - non-authorization of alias additions/removals in kadmind + (CVE-2016-2400) Feature + - iprop has been revamped to fix a number of race conditions that could + lead to inconsistent replication + - Hierarchical capath support + - AES Encryption with HMAC-SHA2 for Kerberos 5 + draft-ietf-kitten-aes-cts-hmac-sha2-11 + - hcrypto is now thread safe on all platforms - libhcrypto has new backends: CNG (Windows), PKCS#11 (mainly for Solaris), and OpenSSL. OpenSSL is now a first-class libhcrypto backend. - OpenSSL 1.0.x and 1.1 are both supported. + OpenSSL 1.0.x and 1.1 are both supported. AES-NI used when supported by + backend - HDB now supports LMDB - Thread support on Windows - RFC 6113 Generalized Framework for Kerberos Pre-Authentication (FAST) @@ -21,10 +29,10 @@ Release Notes - Heimdal - Version Heimdal 1.6 - asn1_compile 64-bit INTEGER functionality - HDB key history support including --keepold kadmin password option - Improved cross-realm key rollover safety - - New krb5_kuserok() plug-in interface + - New krb5_kuserok() and krb5_aname_to_localname() plug-in interfaces - Improved MIT compatibility . kadm5 API - . Migration from MIT KDB via "mitdb" HDB backend. + . Migration from MIT KDB via "mitdb" HDB backend . Capable of writing the HDB in MIT dump format - Improved Active Directory interoperability . Enctype selection issues for PAC and other authz-data signatures @@ -34,6 +42,8 @@ Release Notes - Heimdal - Version Heimdal 1.6 . svc-use-strongest-session-key . preauth-use-strongest-session-key . use-strongest-server-key + - The KDC process now uses a multi-process model improving + resiliency and performance - Allow batch-mode kinit with password file - SIGINFO support added to kinit cmd - New kx509 configuration options: @@ -44,6 +54,8 @@ Release Notes - Heimdal - Version Heimdal 1.6 - Improved Heimdal library/plugin version safety - Name canonicalization . DNS resolver searchlist + . Improved referral support + . Support host:port host-based services - Pluggable libheimbase interface for DBs - Improve IPv6 Support - LDAP @@ -51,6 +63,17 @@ Release Notes - Heimdal - Version Heimdal 1.6 . Start TLS - klist --json - DIR credential cache type + - Updated upstream SQLite and libedit + - Removed legacy applications: ftp, kx, login, popper, push, rcp, rsh, + telnet, xnlock + - Completely remove RAND_egd support + - Moved kadmin and ktutil to /usr/bin + - Stricter fcache checks (see fcache_strict_checking krb5.conf setting) + . use O_NOFOLLOW + . don't follow symlinks + . require cache files to be owned by the user + . require sensible permissions (not group/other readable) + - Implemented gss_store_cred() - Many more Bug fixes @@ -67,27 +90,44 @@ Release Notes - Heimdal - Version Heimdal 1.6 - Plugins are now preferentially loaded from the run-time install tree - Reauthentication after password change in init_creds_password - Memory leak in the client kadmin library - - TGS client requests renewable/forwardable/proxiable when possible. + - TGS client requests renewable/forwardable/proxiable when possible - Locking issues in DB1 and DB3 HDB backends - Master HDB can remain locked while waiting for network I/O - Renewal/refresh logic when kinit is provided with a command - KDC handling of enterprise principals + - Use correct bit for anon-pkinit - Many more Acknowledgements This release of Heimdal includes contributions from: - Andrew Bartlett, Andrew Tridgell, Arran Cudbard-Bell, Arvid Requate, - Ben Kaduk, Dana Koch, Daniel Schepler, Eray Aslan, Fredrik Pettai, - Gustavo Zacarias, Harald Barth, Howard Chu, Igor Sobrado, Ingo Schwarze, - James Le Cuirot, James Lee, Jeffrey Altman, Jeffrey Clark, Jeffrey Hutzelman, - Jelmer Vernooij, Ken Dreyer, Kumar Thangavelu, Landon Fuller, Linus Nordberg, - Love Hörnquist Åstrand, Luke Howard, Magnus Ahltorp, Marco Molteni, - Michael Meffie, Moritz Lenz, Nico Williams, Nicolas Williams, Patrik Lundin, - Philip Boulain, Ragnar Sundblad, Rod Widdowson, Roland C. Dowdeswell, - Ross L Richardson, Russ Allbery, Samuel Thibault, Simon Wilkinson, - Stef Walter, Stefan Metzmacher, Steffen Jaeckel, Tollef Fog Heen, Tony Acero, - Viktor Dukhovni + + Abhinav Upadhyay Heath Kehoe Nico Williams + Andreas Schneider Henry Jacques Patrik Lundin + Andrew Bartlett Howard Chu Philip Boulain + Andrew Tridgell Igor Sobrado Ragnar Sundblad + Antoine Jacoutot Ingo Schwarze Remi Ferrand + Arran Cudbard-Bell Jakub Čajka Rod Widdowson + Arvid Requate James Le Cuirot Rok Papež + Asanka Herath James Lee Roland C. Dowdeswell + Ben Kaduk Jeffrey Altman Ross L Richardson + Benjamin Kaduk Jeffrey Clark Russ Allbery + Bernard Spil Jeffrey Hutzelman Samuel Cabrero + Brian May Jelmer Vernooij Samuel Thibault + Chas Williams Ken Dreyer Santosh Kumar Pradhan + Chaskiel Grundman Kiran S J Sean Davis + Dana Koch Kumar Thangavelu Sergio Gelato + Daniel Schepler Landon Fuller Simon Wilkinson + David Mulder Linus Nordberg Stef Walter + Douglas Bagnall Love Hörnquist Åstrand Stefan Metzmacher + Ed Maste Luke Howard Steffen Jaeckel + Eray Aslan Magnus Ahltorp Timothy Pearson + Florian Best Marc Balmer Tollef Fog Heen + Fredrik Pettai Marcin Cieślak Tony Acero + Greg Hudson Marco Molteni Uri Simchoni + Gustavo Zacarias Matthieu Hautreux Viktor Dukhovni + Günther Deschner Michael Meffie Volker Lendecke + Harald Barth Moritz Lenz Release Notes - Heimdal - Version Heimdal 1.5.3